You can use either the Oracle Enterprise Manager user interface or the WLST command-line utility to configure Oracle Database import and export profiles.
See Section 7.1, "Managing Synchronization Profiles Using Fusion Middleware Control," for help creating and managing profiles using the user interface.
See Section 7.2, "Managing Synchronization Profiles Using manageSyncProfiles," for help creating and managing profiles using the WLST manageSyncProfiles command utility.
This chapter describes the "DBReader" configuration files that you can modify from the command line to synchronize data stored in Oracle Database tables with the Oracle back-end directory. The synchronization can be either incremental—for example, one database table row at a time—or all the database tables at once.
This chapter also describes the "dbexport" configuration files that you can modify if you want to create from the command line an export profile that will synchronize an Oracle back-end directory with an Oracle Database.
Note:
Multi-valued attribute synchronization from the database to the Oracle back-end directory is not supported.
The Oracle Directory Integration Platform application does not support database delete operations. You can, however, create an outside trigger that will directly delete entries in the Oracle back-end directory whenever a row is deleted in the database. Information about how to create such a trigger is outside of the scope of this documentation.
This chapter contains these topics:
Note:
Before reading this chapter, be sure to familiarize yourself with the introductory chapters about Oracle Directory Integration Platform—specifically:
To create an import profile that synchronizes data in Oracle Database with the Oracle back-end directory, open the sample file DBReader.cfg.master in the $ORACLE_HOME/ldap/odi/conf directory, and edit it to your specifications.
To create an export profile that synchronizes data in the Oracle back-end directory with Oracle Database, open the sample file dbexport.cfg.master in the $ORACLE_HOME/ldap/odi/conf directory, and edit it to your specifications.
Understanding the Format of the Additional Configuration Information File
It is very important to follow the correct format of this file. The various sections are divided using TAG names. Every TAG section has a list of parameters and their respective values. The general layout is as follows:
[TAG] PARAMETER1: value PARAMETER2: value [TAG] PARAMETER1: value PARAMETER2: value\ VALUE continuation\ value continuation\ end of value continuation [TAG] PARAMETER1: value PARAMETER2: value\ end of value continuation
Understanding the DBReader.cfg.master Configuration File
During synchronization from Oracle database to the Oracle back-end directory, the DBReader.cfg.master file governs the retrieval of data from the database. It provides the Oracle Directory Integration Platform with the following information:
The SELECT statement to execute
Either the attributes or the database columns to be used in incremental synchronization. Generally, this is either an attribute that contains a timestamp or a change sequence number that the next SQL statement should use to retrieve incremental data.
The DBReader.cfg.master file looks like this:
[DBQUERY] SELECT: SELECT\
EMPNO EmpNum,\ ENAME,\ REPLACE(EMAIL),'@ACME.COM','') UID,\ EMAIL,\ TELEPHONE,\ TO_CHAR(LAST_UPDATE_DATE,'YYYYMMDDHH24MISS') Modified_Date\
FROM\
EMPLOYEE\
WHERE\
LAST_UPDATE_DATE>TO_DATE (:Modified_Date,'YYYYMMDDHH24MISS')\
ORDER BY\ LAST_UPDATE_DATE [SYNC-PARAMS] CHANGEKEYATTRS: Modified_Date
Note that the entire SELECT statement is put as a value in the SELECT parameter in the section represented by the tag DBQUERY. Because it is a lengthy value, the value continuation character is put as the last character in every line until the SELECT statement ends.
Also note the WHERE condition that is present in the SELECT statement. The WHERE condition picks up changes based on the Modified_Date. To copy modified user records to the Oracle back-end directory, update the WHERE clause to pick up the records. In this example, the Modified_Date is the key for incremental synchronization. Because it is a date, it must be presented in string format.
The CHANGEKEYATTRS parameter value is the name of the columns to be used while performing incremental synchronization. The values of these columns are always stored in the orclodipcondirlastappliedchgnum attribute of the profile. Every time the SELECT statement is executed, the current values of this attribute are put into the SQL statement accordingly. This ensures that the data is always retrieved incrementally.
If there are multiple column names in the CHANGEKEYATTRS—for example, column1:column2—then the value in the orclodipcondirlastappliedchgnum attribute of the profile is stored as value1~value2 and so on, with value1 corresponding to column1 and value2 to column2.
Column names are retrieved into Oracle Directory Integration Platform as attribute value pairs and subsequently mapped into LDAP attribute values according to set mapping rules. For this reason, all columns names retrieved in the SELECT statement must be simple names rather than expressions. For example, you can have the expression REPLACE(EMAIL),'@ACME.COM',''), but it retrieves the expression value as UID.
When the profile is created, the orclodipcondirlastappliedchgnum attribute must be set to some value. All changes after this date—that is, rows in the table with LAST_UPDATE_DATE greater than this value—are retrieved. For example, if the orclodipcondirlastappliedchgnum attribute is set to 20000101000000, then all employee changes since January 1, 2000 are retrieved.
Because of the ORDER BY clause, all the database rows returned are in the order of LAST_UPDATE_DATE—that is, the changes retrieved and applied to the directory are in chronological order. Once the last change is retrieved and applied:
The orclodipcondirlastappliedchgnum attribute value is set to the Modified_Date from the last row retrieved.
The profile is updated.
Whenever the Oracle Directory Integration Platform executes the profile again, it uses the previously stored value.
Understanding the dbexport.cfg.master Configuration File
The dbexport.cfg.master file describes the structure of the Oracle database. It provides the Oracle Directory Integration Platform with the following information:
Primary Table. The database table that all of the other tables in the profile are connected to. Every dbexport.cfg.master file should have one primary table.
Primary Keys. Specifies the primary key(s) for the table(s) to which you are syncing. Primary keys should be defined for all table names that are involved in this configuration.
If a primary key consists of multiple columns, list each column name separated by a comma. For example: id,name,dob.
Table Relations. Defines the relationships between the primary table and all of the other tables involved in the profile by specifying the connecting attribute(s). In the sample file, id is the connecting attribute.
If needed, use a comma separated list to specify multiple attributes, for example: id,name.
The dbexport.cfg.master file looks like this:
[INTERFACEDETAILS] Writer: oracle.ldap.odip.gsi.DatabaseWriter CheckAllEntries: null SkipErrorToSyncNextChange: false UpdateSearchCount: 100 SearchDeltaSize: 500 [SYNC-PARAMS] PRIMARY_TABLE: table1 [PRIMARY-KEYS] table1:id table2:id [TABLE-RELATIONS] table1^table2:id
Note:
The SkipErrorToSyncNextChange parameter determines how the Oracle directory integration and provisioning server handles an error when processing a change during synchronization. By default, the SkipErrorToSyncNextChange parameter is assigned a value of false, which means that the Oracle directory integration and provisioning server will continue processing a change until the error is resolved. If you assign a value of true to the SkipErrorToSyncNextChange parameter, the Oracle directory integration and provisioning server will skip any changes that cause an error. Any failures are recorded in the $ORACLE_HOME/ldap/odi/log/profilename.aud audit log file. If you do assign a value of true to the SkipErrorToSyncNextChange parameter, be sure to periodically review the audit log for failures.
The DBReader.map.master Configuration File
Follow the instructions in "Mapping rules and formats" for information about configuring mapping rules.
The dbexport.map.master Configuration File
Review the instructions in "Mapping rules and formats". Then open the sample file dbexport.map.master in the $ORACLE_HOME/ldap/odi/conf directory, and edit it to your specifications.
The mapping rule format for the dbexport.map.master configuration file specifies a destination table name and a destination column name instead of a destination objectclass and destination attribute.
For example, here is a sample map rule:
uid:1::inetorgperson:id::table2:
In this example, uid is the source attribute and inetorgperson is the source objectclass. Next, id is the destination column and table2 is the destination table name. You must include in the map file whichever column is designated as the primary key, and you must also specify that it is a required attribute. In the example mapping rule, the :1 following the uid source attribute indicates that uid is a required attribute.
You can create a directory integration profile by using the Oracle Enterprise Manager Fusion Middleware Control user interface. For instructions, see Section 7.1, "Managing Synchronization Profiles Using Fusion Middleware Control."
When you use Oracle Enterprise Manager Fusion Middleware Control, you must upload the additional configuration information file and the mapping file by using the update operation of the manageSyncProfiles command. For help using the manageSyncProfiles command, see Section 7.2, "Managing Synchronization Profiles Using manageSyncProfiles."
To configure the directory integration profile, follow the general instructions in "Registering Connectors in Oracle Directory Integration Platform", but with these specific instructions in mind:
Do not set a value for the agent execution command (orclodipAgentExeCommand) attribute.
Set the interface type (orclodipDataInterfaceType) attribute to DB.
This section demonstrates how to synchronize a relational database table with the Oracle back-end directory.
Note:
Directory Integration Platform database profiles do not support delete operations. You can, however, create a separate trigger outside of DIP that will directly delete entries in the Oracle back-end directory whenever a row is deleted in the database. Information about how to create such a trigger is outside of the scope of this documentation.
This section contains these topics:
In this example, the following relational database table containing employee data is synchronized with the Oracle back-end directory:
| EMPNO | ENAME | LAST_UPDATE_DATE | TELEPHONE | |
|---|---|---|---|---|
|
98357 |
JOHN DOE |
2-JAN-2000 |
JOHN.DOE@ACME.COM |
435-324-3455 |
|
98360 |
ROGER BECK |
3-JUL-2001 |
ROGER.BECK@ACME.COM |
435-324-3600 |
|
98365 |
JIMMY WONG |
4-MAR-2001 |
JIMMY.WONG@ACME.COM |
435-324-2390 |
|
98370 |
GEORGE TWINSLEY |
6-FEB-2002 |
GEORGE.TWINSLEY@ACME.COM |
435-324-9232 |
You can find a sample profile (DBReader.properties), configuration, and mapping files for this example in the $ORACLE_HOME/ldap/odi/conf directory.
In this example:
The name of the table is Employee.
The Profile Name is TESTDBIMPORT.
The employee number (EMPNO) is used to join a database record with a directory entry. It is specified in the OID Matching Filter (orclOdipOIDMatchingFilter) attribute described in the attributes reference chapter of the Oracle Identity Management User Reference.
This table is present in the testsync/testsyncpwd schema in a database. The database is located on the host machine.acme.com, the database listener port is 1526, and the SID is iasdb. The database URL is machine.acme.com:1526:iasdb.
Appropriate read/write permissions were given explicitly to this profile, namely: orclodipagentname=testdbimport,
cn=subscriber profile,
cn=changelog subscriber,
cn=oracle internet directory
The profile is created in configuration set 1.
This example uses the same Additional Configuration Information file described earlier in "Preparing the Additional Configuration Information File".
The mapping file for this example contains the following:
DomainRules NONLDAP:dc=testdbsync,dc=com:uid=%,dc=testdbsync,dc=com AttributeRules ename: : : :cn: :person ename : : : :sn: :person uid : : : :uid: :inetOrgperson: EMail: : : :mail: :inetOrgperson Telephone: : : :telephonenumber: :inetOrgperson empnum: : : :employeenumber: :inetOrgperson
This mapping file specifies the following:
Directory entries are created as uid=%,dc=testdbsync,dc=com. The percent sign (%) is a placeholder for the actual value of uid. The uid must be present in the mapping rules so that it has a value after the mapping. Otherwise, the DN construction fails.
Both the cn and sn attributes need to have the same value as ename.
The uid element must have the value of the EMail prefix, which is the element of the e-mail address prior to the at sign (@) character.
The empnum attribute becomes employeenumber in the directory entry.
The telephone attributes becomes telephone number in the directory entry.
The directory integration profile for this example contains the attribute values as described in Table 9-1. A sample integration profile with these values populated and the corresponding mapping and configuration files are available in $ORACLE_HOME/ldap/odi/conf directory. You can create the profile by using Oracle Enterprise Manager Fusion Middleware Control or following the instructions described in "Creating Synchronization Profiles".
Table 9-1 Directory Integration Profile for TESTDBIMPORT
| Attribute | Value |
|---|---|
|
Profile Name ( |
|
|
Synchronization Mode ( |
|
|
Profile Status ( |
|
|
Agent Execution Command ( |
null |
|
Advanced Configuration Information ( |
Maintains configuration details which are not individually maintained in LDAP attributes. |
|
Connected Directory Account ( |
|
|
Connected Directory Account Password ( |
|
|
Connected Directory URL ( |
|
|
Interface Type ( |
|
|
Mapping File ( |
Attribute for storing mapping rules. |
|
OID Matching Filter ( |
This means that Once a database row is retrieved, the Oracle Directory Integration Platform searches the directory for that |
|
Last Applied Change Number ( |
This means that the first time the profile executes, it retrieves and synchronizes all four rows. Subsequently, it retrieves rows only when the |
Use the update operation of the manageSyncProfiles command to update the additional configuration information and mapping files, as follows:
manageSyncProfiles update -h HOST -p PORT -D WLS_USER -pf PROFILE_NAME -file FILE_NAME
In this example, the sequence of steps in the synchronization process is:
The Oracle Directory Integration Platform starts a new profile thread for the TESTDBIMPORT profile every time the value specified in the scheduling interval (odip.profile.schedinterval) attribute expires.
The profile thread reads the additional configuration information to get the SQL to execute, and then runs the SQL.
For every row retrieved from the database, the mapping rules are applied to the record, and LDAP attributes are created.
Depending on the OID Matching Filter (odip.profile.oidfilter) attribute, the Oracle Directory Integration Platform determines whether a matching entry exists in the Oracle back-end directory. If it exists, then it is updated. If not, then a new entry is created. After the directory operation, the last applied change number (odip.profile.lastchgnum) attribute is updated.
Note:
The OID Matching Filter (odip.profile.oidfilter) attribute supports Oracle Unified Directory and Oracle Directory Server Enterprise Edition, as well as Oracle Internet Directory.
When a row is retrieved from the database, it is in the following form:
EmpNum: 98357 EName: JOHN DOE UID: JOHN.DOE EMAIL: JOHN.DOE@ACME.COM TELEPHONE: 435-324-3455 Modified_Date: 20000102000000
After the mapping is performed on this record, the output is in the following form:
dn: uid=john.doe,dc=testdbsync,dc=com uid: JOHN.DOE cn: JOHN DOE sn: JOHN DOE mail: JOHN.DOE@ACME.COM employeenumber: 98357 telephonenumber: 435-324-3455 objectclass: person objectclass: inetorgperson
A subtree search is made in the directory with the filter employeenumber=98357 under the domain dc=testdbsync,dc=com. If the search yields an existing entry, then that entry is updated. Otherwise, a new entry is created. Because the OID Matching Filter (odip.profile.oidfilter) attribute is set to employeenumber, every database record retrieved must have that column. In this case, it is EmpNum as it maps to employeenumber.
Any other attributes in the mapping file that are not in the data retrieved by SQL are ignored—for example, the birthday attribute.
After the profile thread processes all the change records from SQL, it updates the directory with correct values for these attributes:
Last Applied Change Number (odip.profile.lastchgnum)
Last Execution Time (orclOdipLastExecutionTime)
Last Successful Execution Time (orclOdipLastSuccessfulExecutionTime)